My dhcpd.conf

Last Update 07th October 2008

This guide is aimed at users of Debian Linux. The
configuration options are generic, but the location of files and
version of the software might be different on other Linux flavours. If
anyone has any comments, or manages to make this guide work
for other Linux flavours please tell me, and I will
add the comments to the guide.

My Network

First a few details about my network structure, I use the private subnet 192.168.0.0 with a netmask of 255.255.255.0. The internal domain name is int.example.org. The server runs a number of services including DNS (domain name service), NIS (network information service), NTP (network time protocol), it also acts as a router for the network. A second network card connecting to the internet.

The hostname of the dhcp server is mars.example.org. This is a pretty randomly chosen network name, as it wont be on the internet though you can use pretty much any URI you want.
The IP address of the server is 192.168.0.2. I run ISCs dhcp3 server. Configuration files are located /etc/dhcp3/dhcpd.conf and the
startup files /etc/init.d/dhcp3server. If you are running the older server dhcp2, the configuration files are probably located "/etc/dhcpd.conf" and the startup file "/etc/init.d/dhcp".

If you dont have dhcpd, installed already run

apt-get install dhcp3-server

or use your Linux flavours package management tool, I dont want to get bogged down in the details of how to compile from source. Possibly I will spin that off into another article at some point.

The following is an annotated listing of my /etc/dhcpd.conf file. The original can be downloaded here

Please Note that Debian has a file /etc/default/dhcp3-server in which you set which interfaces the server listens on. If your server
has more than one network card you can choose which interface the server listens on by editing this file.

Example dhcpd.conf

Based on my network settings here is a simple subnet declaration. You will need to edit this depending on what subnet you use.

subnet 192.168.0.0 netmask
255.255.255.0 { #This is a subnet which the dhcpd server
controlls, note the { this is required
default-lease-time 345600; #Sets the time loan time in
seconds before computers must renew thier leases
max-lease-time 691200; #Set the maximum amount of time a pc
can hold a lease for
option domain-name "example.org"; #Sets the domain name
option domain-name-servers 192.168.0.2; #Sets the dns servers
you can have one or multiple ones ip address"s seperated by commas
option routers 192.168.0.2; #Sets the network gateway / router
option broadcast-address 192.168.0.255; #Sets the network
broadcast address
range 192.168.0.20 192.168.0.30; #Defines a range of ips to
be used as leases
}

If you wanted to have more available addresses you can change the range accordingly. For example changing the range statement to "range 192.168.0.100
192.168.0.200;" would give 100 free addresse leases to the pool. IP addresses are
formed xxx.xxx.xxx.xxx each xxx must be a number between 0 and 254. You must not use addresses that end
in .0 or .255 as they are reserved for broadcast traffic.

DHCP Options

The options directives feed various information to the clients. You can find out more by typing man dhcp-options or this site has a nice break down of the available options to send to the clients computers.

Adding a default lease

If you want one computer or device to always get the same IP but not statically define it on the device itself. For example, you might
want to setup DNS without using dynamic dns for example. So long as you know the MAC address of the computer / device its easy. If you do not
know the MAC address of a device you can find out by running a command. On Windows open a command prompt and type "ipconfig /all". Linux
users can type ifconfig eth0 in a terminal. Additionally most hardware manufacturers
print MAC address on the device. It is usually usually near the serial number on a label on the device or in the admin
program. MAC address are usually in the form XX-XX-XX-XX-XX-XX where is a hexadecimal value. The hyphens (or colons) are only used to make the
MAC human readable.

On my network I give out a fixed lease IP address to serveral devices including my wireless access point. I could have statically assigned it an IP address. However I wanted everything controlable via my dhcp server. So that if I ever want to change network
addresses or settings such as the default route I only have to edit one file, rather than manually reassign addresses. On a small network it might be quicker to statically assign address, but if you need to scale up it can save you a considerable amount of time to only have to edit one file.

host solar_sys { #Set the hostname of the client computer,
in this case solar_sys.
hardware ethernet 00:80:4f:1d:57:47; #Registers the MAC
address of the client computer.
fixed-address 192.168.0.50; #This line specifies the IP
address to be used by the client 192.168.0.69
}

Note the access point is set it to get an ip address via dhcp.The hostname of the access point is solar_sys, and the IP address is 192.168.0.50.

Starting and stopping

To start the server run the command "/etc/init.d/dhcp3server
start" or for dhcpd version 2 "/etc/init.d/dhcp start".

If the server is already running you can use the "stop"
command to
stop it or "restart" command to run a stop start. If you're not sure if
the server is running and you want to give it a quick check "ps -aux
|grep dhcp" should return something like

The line /usr/sbin/dhcpd3 -q< shows me that the dhcp
server is running. It also has a command line switch of -q, which according to the man page is quite mode.

I am informed to restat the service on Red Hat you use the
command service dhcp command command being either
stop start or restart. Thanks to SG for this.

Other DHCP Options

Using the dhcp protocol there are many additional services you could add or inform client machines about if you run extra services on your network. These services include Network time (NTP), bootp (autoboot dumb terminals) even redirect certain groups of clients to different servers. Most of these options are beyond the scope of this guide, but I have detailed a few examples below.

I run NIS (Network Informaiton services) on my network. NIS is very insecure but for a small newtork firewalled off from the internet it can be a useful method of having centralised user accounts on a Linux/Unix network. You can ignore this unless you want to run a Linux network with centralised user accounts, ask me nicely and I might even write a guide one day ;-) If you type "man dhcp-options" for a list of posible options.

If you want your clients to use a centralised time server (again if your network is based on Windows I wouldnt bother with this

option time-servers
192.168.0.2; #Sets the default time server

Dynamic DNS Extentions

Your clients get their addresses dynamically, so wouldn't it be nice to also record the reverse lookups so you can hit your cleints by hostname rather than ip address (which of course might change)? Modern versions of the dhcp deamon and the bind dns server can talk and dynamically update each other. Dynamic DNS has limited support under
version 2 of ISC dhcp demon so I highly recommend upgrading to version 3 if you intend to use dynamic updates..

Security

If you plan to allow updates to your dns its a very good idea to implement security so that crackers dont hyjack your dns. The best model for DNS is to use keys to encrypt the zone updates. In order to use key based secure dns you will need to create a key (or indeed a number of keys) the command to do which is

dnssec-keygen -a HMAC-MD5 -b 128
-n USER DHCP_UPDATER

This creates 2 files a privaite and a public. They will be called something like Kdhcp_updater.+157+47203.key and Kdhcp_updater.+157+47203.private. You only actually need the key string inside these files.

Editing dhcpd.conf for ddns

Tell the system with ddns update style to use (the standard isn't formal at the time of writing so I am using the ISC interim method)

Secure Zone Transfers

There are several ways to secure the transfer of dns Zone information. The most common is IP address based restrictions. Unfortunately, Security based on IP address is inherently insecure as
IP addresses trivial to spoof. TSIG keys are not only useful for securing dynamic dns updates. TSIG keys can also be used to secure your
name server zone transfers. Keys are very secure and difficult to crack. This is very useful if your domain name server contains details
of your network that you want to hide from the public, or you are worried about hackers poisoning your zone information. I would recommend secure updates as a great method to control access to the zone information.

Dual Booting Clients

A couple of people have told me that there is a problem with leases when dual booting clients so I dug around a bit and found the following